View status causes "unable to query SAD entry" in log



  • After viewing the IPSEC status in the GUI I see a lot of errors in the log (newest entries on top):

    Jun 2 09:09:06 charon 13[KNL] <con6000|664>unable to query SAD entry with SPI d6289bef: No such file or directory (2)
    Jun 2 09:09:06 charon 13[KNL] <con6000|664>unable to query SAD entry with SPI d6289bed: No such file or directory (2)
    Jun 2 09:09:06 charon 13[KNL] <con6000|664>unable to query SAD entry with SPI d6289bec: No such file or directory (2)
    Jun 2 09:09:06 charon 13[KNL] <con6000|664>unable to query SAD entry with SPI d6289bea: No such file or directory (2)
    Jun 2 09:09:06 charon 13[KNL] <con18000|659>unable to query SAD entry with SPI 8a5c9020: No such file or directory (2)
    Jun 2 09:09:06 charon 13[KNL] <con18000|659>unable to query SAD entry with SPI 8a5c901e: No such file or directory (2)
    Jun 2 09:09:06 charon 13[KNL] <con2|589>unable to query SAD entry with SPI c02d9ad7: No such file or directory (2)
    Jun 2 09:09:06 charon 13[CFG] vici client 1714 requests: list-sas
    Jun 2 09:09:06 charon 13[CFG] vici client 1714 registered for: list-sa
    Jun 2 09:09:06 charon 07[CFG] vici client 1714 connected

    This seems to happen after phase1 is renegotiated. After a fresh start I don't see this behaviour.
    It seems it’s looking for old SA’s that don’t exist anymore. Can this do any harm? Con6000 is quite instable, must be restarted a few time a week, tunnel is up but suddenly no traffic flowing anymore.
    if the old SA’s are still referenced somewhere may that is related to the instability?</con2|589></con18000|659></con18000|659></con6000|664></con6000|664></con6000|664></con6000|664>



  • What does "unable to query SAD entry with SPI XXXXXXXX: No such file or directory (2)" in general mean exactly? What does it mean if I'm seeing this very often for just on specific connection?
    Is it the other side querying an SPI that is not there anymore?
    If so, why does the local vici client also causes this same error? It just ask for a list af sa available, isn't it? If the SPI is not there anymore, it should not be in the list….



  • Not likely that'd be the source of any problems. Probably just that strongswan still has record of it, though it's not using it, and the OS has deleted it since it's been rekeyed. You can check the raw output of 'ipsec statusall' to see.



  • Hello I have the same problem, but only with a tunnel I have 6 running and only one fails me.

    Attachment capture error.

    I hope your answer

    Thank you

    ![Captura de pantalla 2017-09-23 a les 16.27.10.png](/public/imported_attachments/1/Captura de pantalla 2017-09-23 a les 16.27.10.png)
    ![Captura de pantalla 2017-09-23 a les 16.27.10.png_thumb](/public/imported_attachments/1/Captura de pantalla 2017-09-23 a les 16.27.10.png_thumb)



  • Hi

    Facing to the same…

    Anyone found a solution ?

    Thanks



  • @jcasanellas:

    Hello I have the same problem, but only with a tunnel I have 6 running and only one fails me.

    Attachment capture error.

    I hope your answer

    Thank you

    That devices on the other side?